Improving Your Routers’ Security

How to greatly improve the security of your home network.

That wireless router which sits, silent and unobtrusive, in the main room of your house or on a shelf somewhere near a telephone socket, providing that all important connection to the (virtual) outside world is locked up and safe, right?

Well, actually. No.

It would be nice to think that our telephone/television/internet service providers are interested enough in our (cyber) safety that they wouldn’t send us a piece of equipment that could potentially assist in the theft of our money, identity or worse, wouldn’t it?

In fairness, it’s not really their fault as it’s the manufacturers who make the devices this way.  And in fairness to the manufacturers, some of what I’m about to describe is really led by us, the consumer and our prevalent misunderstanding of what places us at risk.

However, there are things you can do to remedy this and greatly tighten the security on your router.

Rule 1: Change the Default Passwords
The first, and most simple, of the things that can get us into trouble is passwords.  An old favorite, and yet one that seems to constantly catch us out.  Having covered passwords in more detail elsewhere, I’ll limit this post to how they affect access to our routers.

Administrator Passwords
All routers have an administrator login and password.  When they leave the factories, almost all of the common routers are set with standard ones, expecting the end user to change them once they’ve unpacked and connected it.  In most cases, these passwords are ‘admin’ or ‘password’ and therefore insanely easy to crack (one series of Virgin hubs was ‘changeme’ which, I felt, was a good suggestion).

Similarly, the vast majority of routers/hubs also have an identicial IP address that is used to access the device and it’s controls/settings.  For example:

  • BT Home Hub 5 – 192.168.1.254
  • Netgear Extender – 192.168.1.250
  • Virgin router – 192.168.0.1

If we’re able to gain any sort of connection to the routers network, we can simply pop those numbers into the address bar of our internet browser, add our stock password, and we’re in. Everything we felt was safe and secure, now open and available to whoever chooses to look.

Pre-Shared Key/Password
In present day routers, these are normally individual and randomly generated keys, printed on an attached card or rear of the device and, as such, are reasonably secure.  The key word there, however, is ‘reasonably’.  I’d still recommend changing them to something original and more complex than the standard ones.  It’s worth noting that these pre-shared keys can contain spaces so you can even come up with interesting phrases, rather than single words.  Whatever you decide, make use full use of alphanumeric and symbol characters to make th1ng$ 3v3n h4rd3r t@ w@rk @ut.

Now, as we’re in the control panel of our router anyways…

Rule 2: Choose the Best Form of Encryption
Short and sweet;  Use WPA2 security whenever it is available.  It’s as simple as that.

Most up-to-date routers are capable of WPA2, although some slightly older ones may only have WPA capability. In these cases, WPA is your go-to.  Additionally, there are different versions of WPA2 level security; Personal, Enterprise and Mixed.  For our needs within the home (or small office),  we want to use Personal or Mixed.

Enterprise is designed for use in larger organisiations and, as such, is more complicated to set-up and will require additional devices that we’re unlikely to have laying around.

Rule 3: Change the SSID
This can be a controversial topic in some communities, with people arguing for and against whether changing the SSID improves your router/network security or not.  Personally, I’d argue that it does provide a marginal increase in the level of security, for one very simple reason.

As with the settings we looked at in Rule 1, the router’s SSID is set at the factory by the manufacturing company and is very similar to all the other routers of it’s type.  If we use the BT Home Hub 5 as an example, the SSID will look something like: BTHub5-1X1Y.  

Whilst that might not give any potential hacker a huge amount of information in itself, it does tell us the make and generic model of the router being used on a network and, potentially, the IP address of the routers’ control panel (assuming we’ve got our handy little crib sheet with us). This, therefore gets us one step closer to accessing the network with little to no effort.

Just by changing the SSID to something more unique, you’re going to make any potential hacker work that little bit harder as they have to identify the make and model of your router through other means.

Note:  Many routers offer the option to ‘disable SSID broadcast’.  This may sound like a really good idea, better maybe than changing it’s name.  However, the reality is that your router is still broadcasting the RF (Radio Frequency) signal that allows other devices to connect to it, so any potential hacker will still be able to locate the signal and therefore your router, saving nothing.  On the flip side, disabling the SSID broadcast DOES mean that you’ll have to do a full manual setup on any new devices that you wish to connect to the router..

Rule 4: Disable WPS
Back in December of 2011, there was a rather major farce around the security of the WPS protocol which involved the use of preset PIN numbers (similar to our preset admin passwords) and made WPS the digital equivalent of leaving your front door wide open with a sign that said ‘burglars welcome’.

Since 2011, WPS has improved (and here comes the ‘but’ you were waiting for) BUT it still has a huge design flaw in the way it works. This can potentially reduce the security of your router from 80-100% down to somewhere nearer 20-30%. Additionally, the original implementation comes from a source that’s considered somewhat untrustworthy and the whole idea is overcomplicated in the way it works.

I won’t go into more detail behind how WPS works and the reasons for it being such a bad egg here, suffice to say that it really isn’t something you want available on your network.

Rule 5: Update the Firmware
Every router has software installed on it that controls how it operates.  As with practically any software, the manufacturers will often find bugs or security issues that they then provide an update for.

This is a bit of a tricky one as router firmware can be awkward to update, potentially rendering your router useless if it’s done’ incorrectly. Some makes and models are easier than others to carry out (Netgear, for example, is very simple) but on the whole it can still be a bit sketchy if you aren’t sure what to do.

What I’ll say is that I’d strongly advise getting your firmware updated to the newest possible version if you can.  If you aren’t sure how to do it yourself, or are in anyway uncertain, then seek the assistance of a professional technician or someone that is familiar with routers and their operation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s